South Carolina Healthcare Breach Notification Law: What Providers Must Do and When

Overview of South Carolina Breach Notification Law

South Carolina’s data breach statute, S.C. Code § 39-1-90, sets the baseline for when and how organizations must notify residents after unauthorized access to certain personal data. It applies to any person or business that owns or licenses computerized data containing a South Carolina resident’s Personal Identifying Information, regardless of where the organization is located.

Under the law, a “breach of the security of the system” generally means the unauthorized acquisition of unencrypted (or otherwise unredacted) data that compromises the security, confidentiality, or integrity of Personal Identifying Information. Typical examples of Personal Identifying Information include a resident’s name in combination with data elements such as Social Security number, driver’s license or state identification number, or financial account credentials.

The statute includes practical guardrails. Good-faith acquisition by an employee or agent for a legitimate purpose is not a breach if the data is not used or subject to further unauthorized disclosure. Encryption and effective redaction are strong risk-reduction measures because they can remove an incident from the statute’s scope when keys are not compromised.

Notification Requirements for Healthcare Providers

As a healthcare provider, you must evaluate incidents under both state law and the HIPAA Breach Notification Rule if protected health information (PHI) is involved. When South Carolina residents’ Personal Identifying Information is affected, state notice obligations are triggered even if the incident also implicates PHI. If a vendor (such as a business associate) experiences the incident, it must notify you so you can meet downstream obligations.

Who must be notified depends on the data and the size of the incident. You must provide notice to affected individuals whose Personal Identifying Information was compromised. Notice may be delivered in writing by mail or electronically where the recipient has consented in accordance with federal e‑sign requirements. If direct notice is impracticable—because contact data is insufficient, the affected population is extremely large, or costs are prohibitive—South Carolina permits substitute notice using a combination of email, conspicuous website posting, and notification to major statewide media.

Healthcare providers should align content, timing, and delivery with internal incident response procedures and document every step. Coordinate early with counsel and your privacy and security teams to ensure the right law governs each data element and recipient group.

Timing and Content of Breach Notices

South Carolina requires notification in the most expedient time possible and without unreasonable delay, consistent with the needs of law enforcement and measures necessary to determine the scope of the breach and restore system integrity. If a law enforcement agency advises that notice will impede an investigation, you may delay until that agency determines that notice no longer compromises the inquiry.

Effective notices are clear, actionable, and complete. Your communication should include: what happened and when it was discovered; the types of Personal Identifying Information or PHI involved; what you have done to secure systems and prevent recurrence; what affected individuals can do to protect themselves; and how to reach you for assistance. Many providers also include guidance on fraud alerts and security freezes and, where appropriate, offer identity protection or credit monitoring services to help patients respond.

Deliver notices using channels your patients actually use. Pair written or electronic notices with a dedicated call center, an easy-to-find breach landing page, and accessible formats for people with disabilities or limited English proficiency.

Reporting to State and Federal Authorities

In addition to notifying affected individuals, South Carolina expects reporting to government and consumer protection bodies. You must provide a copy of your consumer notice and related details to the South Carolina Department of Consumer Affairs’ Consumer Protection Division. Include the number of residents affected, your timing, and a sample of the individual notice.

If notices are being sent to more than 1,000 South Carolina residents, you must also notify the nationwide Consumer Reporting Agencies of the timing, distribution, and content of the consumer notices. This helps the bureaus prepare for increased alert and freeze activity from your patients.

When PHI is involved, federal reporting also applies. You must notify the Secretary of Health and Human Services through the designated breach portal. If the incident affects 500 or more individuals in a single state or jurisdiction, you must notify prominent media in that area. For incidents affecting fewer than 500 individuals, maintain a breach log and submit it to HHS within 60 days after the end of the calendar year.

Compliance with HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule requires you to assess whether an impermissible use or disclosure of unsecured PHI poses a low probability of compromise using a four-factor risk assessment. Consider the nature and extent of PHI involved, the unauthorized person who used or received it, whether the PHI was actually acquired or viewed, and the extent to which risks have been mitigated. If a breach is not excluded, you must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery.

HIPAA prescribes specific notice content and delivery standards, including plain-language descriptions of the incident, the types of PHI involved, recommended steps individuals should take, and contact methods. For 10 or more individuals with insufficient contact information, HIPAA requires substitute notice—such as a 90‑day website posting with a toll‑free number—while still meeting timing rules.

When both HIPAA and South Carolina law apply, comply with the requirements that provide the greatest protection to individuals and meet the earliest applicable deadline. Align your state notices with HIPAA content elements so recipients receive one coherent, comprehensive communication.

Penalties for Non-Compliance

Failure to follow South Carolina’s statute can result in investigations and Administrative Fines imposed by state authorities, along with orders to implement corrective measures. Civil actions and reputational harm frequently multiply the cost of noncompliance, especially where delays or inadequate notices are involved.

HIPAA enforcement adds another layer of risk. The Office for Civil Rights may impose tiered civil monetary penalties per violation, with annual caps that scale based on your level of culpability and the length of time the violation persisted. Corrective action plans, outside monitoring, and mandated policy changes are common outcomes after significant incidents.

Contractual obligations with payers, health information exchanges, and business associates may also trigger indemnity claims or liquidated damages for security events or late notifications. Building compliance discipline into your incident response program is the most cost‑effective way to avoid cascading penalties.

Steps for Mitigating Data Breaches

1) Contain, preserve, and stabilize

Isolate affected systems, revoke compromised credentials, and preserve logs, images, and volatile data to support forensic analysis. Avoid wholesale reimaging until evidence is secured and legal counsel approves the approach.

2) Mobilize your response team

Engage privacy counsel, information security, compliance, leadership, and key vendors. If PHI is involved, loop in your HIPAA privacy and security officers and applicable business associates. Establish a single source of truth for incident facts and decisions.

3) Investigate and assess risk

Determine what Personal Identifying Information and PHI were accessed, exfiltrated, or viewed; the number of South Carolina residents involved; and whether encryption or redaction protects the data. Complete the HIPAA four‑factor assessment and document rationales thoroughly.

4) Coordinate with law enforcement

Notify law enforcement as appropriate and honor any temporary request to delay notice if disclosure would impede an active investigation. Record the requestor, the date, and when the delay is lifted.

5) Plan and execute notifications

Draft clear, patient‑friendly notices that satisfy both S.C. Code § 39-1-90 and the HIPAA Breach Notification Rule. Prepare state submissions to the Consumer Protection Division, notices to Consumer Reporting Agencies when triggers are met, and submissions to the Secretary of Health and Human Services. Stand up call center support and a dedicated web page to handle inquiries.

6) Offer support and reduce future risk

Consider providing credit monitoring or identity protection where financial data is implicated. Remediate root causes by patching systems, strengthening access controls and multifactor authentication, enhancing endpoint detection and response, and retraining workforce members on phishing and data handling.

7) Document, review, and improve

Retain your incident records, risk assessments, notices, and approvals for at least six years to meet HIPAA documentation requirements. After action, conduct a post‑incident review, update your incident response plan, and test with tabletop exercises so you can move faster next time.

Putting these steps in place before an incident—and rehearsing them—enables you to notify quickly, meet overlapping state and federal rules, and maintain trust with your patients and community.

FAQs.

When must healthcare providers notify affected individuals under South Carolina law?

You must provide notice in the most expedient time possible and without unreasonable delay after determining a breach of the security of the system involving unencrypted Personal Identifying Information. You may delay if law enforcement advises that notice would impede an investigation. If HIPAA applies, you must also meet HIPAA’s outer limit of no later than 60 days from discovery.

What information must be included in a breach notification?

Include a plain‑language description of what happened and when, the types of information involved, steps you have taken to secure systems, recommended actions individuals can take, and clear contact methods for questions. Align the content with HIPAA requirements and, where appropriate, include information about identity protection services and guidance on security freezes and fraud alerts.

How do South Carolina breach notification requirements interact with HIPAA?

Most healthcare incidents trigger both regimes. Apply HIPAA to PHI and S.C. Code § 39-1-90 to Personal Identifying Information; meet the more protective requirement and the earliest applicable deadline. In practice, you deliver a unified notice that satisfies both sets of content rules and also complete required reports to the Consumer Protection Division, Consumer Reporting Agencies (when thresholds are met), and the Secretary of Health and Human Services.

What penalties apply for failure to comply with breach notification laws?

Noncompliance can lead to state investigations and Administrative Fines, along with court actions and corrective orders. Federally, the Office for Civil Rights may impose civil monetary penalties under HIPAA, require corrective action plans, and monitor your compliance. Contractual repercussions with payers and partners can add additional financial exposure.